Main menu

Pages

Everything we know about the White House's IoT security tagging effort

featured image

Home security cameras are some of the first devices to be considered for a security
enlarge / Home security cameras are some of the first devices to be considered for a security “nutritional label” that could be released in the spring of 2023.

Getty Pictures

The White House released a statement today, essentially saying Wednesday that it’s hosting a big meeting with big names and that some sort of security label for smart devices will arrive in the spring of 2023. , and what is likely to come out of it.

One of the top recommendations in the March 2020 report of the US Cyberspace Solarium Commission, whose name prompted a rethink of the Eisenhower administration’s Cold War strategy, was to “establish a national cybersecurity certification and labeling authority.” The “non-profit, nonprofit” will become a labeling authority for at least five years by labeling products based on the consensus of the Commerce and Homeland Security departments and “experts from the federal government, academia, nonprofit organizations, and the private sector.”

According to the White House, it’s all about who shows up. Amazon, Comcast, Google, Intel, LG, Samsung, Sony and other private organizations have appeared. So do the lobby groups of the Connectivity Standards Alliance, the consortium behind Matter, the American National Standards Institute (ANSI), the Consumer Reports and Consumer Technology Association, the CTIA, and the National Retail Federation. Add in almost every safety-related government agency and you have the Solarium Commission recommended panel.

Details about the label itself, how it existed until now, and what it would evaluate or measure were not available, but there were clues. CyberScoop said a White House official said device ratings could be based on “vulnerability removal, the amount of information collected about consumers, whether data is encrypted and interoperability with other products.”

As for how the label might look, there is at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a safety “nutrition label”. The university claims that the tag, based on input from more than 22 groups, performs well with users. It provides multiple levels of disclosure based on common IoT pain points: default passwords, security updates, offline functionality, and the like.

You can even create your own voluntary safety label or kick the tires like I did.

I don't know why we created this smart doorbell, but we are committed to updating it for at least three years.

I don’t know why we created this smart doorbell, but we are committed to updating it for at least three years.

Kevin Purdy / Carnegie Mellon

The White House told reporters on Thursday it aims to “keep things simple” with a code that can be scanned by phones to show security and privacy information.

Which products will get the labels? The White House told reporters on Wednesday that it will begin with voluntary tagging in the spring of 2023, focusing on “particularly vulnerable internet-connected devices such as routers” and home cameras.

The White House press release states that this effort seeks to “create a globally recognized label.” CyberScoop reported earlier this month that the task force is working with the European Union to “align with standards.” It is noteworthy, then, that the United States is attending International Cyber ​​Week in Singapore, where Anne Neuberger, Deputy National Security Advisor for Cyber ​​and Emerging Technology, said that the United States views Singapore as the “world leader in IoT,” as reported by The Register.

Singapore’s Cybersecurity Labeling Scheme gives a four-star rating to nearly every Internet-connected consumer device in that country. The system is recognized by Finland and, as of today, by Germany. At this week’s conference, it was announced that the system could soon migrate to medical devices. Whatever system the US designs, it’s a good bet that it will want to achieve even one level of reciprocity with the Singapore system.

The Cybersecurity Labeling Scheme in Singapore, where consumer devices received one out of four points based on their security practices.

The Cybersecurity Labeling Scheme in Singapore, where consumer devices received one out of four points based on their security practices.

Is there an important aspect of this labeling? Almost certainly, given the CSA’s presence at the White House summit. Matter certificate requires devices to use AES encryption when communicating between networks, be able to receive updates over the air, be code signed, and have a secure location to store keys and certificates to be checked against a blockchain ledger. Some or all of these aspects (minus the blockchain bit) are likely to be considered in security tags.

While the first version of this security label will almost certainly be a compromised, politically acceptable effort, everything is likely to be better than the system we currently have: searching for smart home brand names and manufacturers online one by one, and then “breach” and ” security bug.”

Comments